Report: Gay Dating Apps Still Vulnerable to Location Leaks

Many popular gay dating apps including Grindr, Romeo and Recon have been vulnerable to leaking user's location info, even if they choose to hide their location in settings. The apps have been aware of this weakness, called trilateration, for years, and according to the BBC, Grindr and Romeo have not changed their apps, but Recon has implemented changes to protect users' information.

In a story originally broken by Wired in 2016, researchers in Kyoto, Japan were able to use trilateration, the process of using fake GPS locations to triangulate users' locations to within several feet, to find a journalist's dummy accounts within minutes.

The BBC reports that these vulnerabilties still stand in many popular gay dating apps. An LGBT rights charity called Stonewall told BBC: "Protecting individual data and privacy is hugely important, especially for LGBT people worldwide who face discrimination, even persecution, if they are open about their identity."

The article goes on to suggest changes that the companies could make to mitigate the risks of location leaks, including: "only storing the first three decimal places of latitude and longitude data, which would let people find other users in their street or neighbourhood without revealing their exact location," and "overlaying a grid across the world map and snapping each user to their nearest grid line, obscuring their exact location."

Recon has since implemented the "snap-to-grid" method, while Grindr said it has obfuscated location data "in countries where it is dangerous or illegal to be a member of the LGBTQ+ community." Romeo, however, still claims incorrectly that it is "technically impossible" to prevent trilateration attacks. The app does let users fix their location to a specific point on the map if they wish to hide their true location. Hornet also has implemented the "snap-to-grid" method. Scruff told BBC that it has implemented a location scrambling algorithm by default in "80 regions around the world where same-sex acts are criminalised."

Each of these apps, with the exception of Recon, has some variation of a setting allowing users to hide their location or the exact distance between users, but many of these settings are not enabled by default.

The BBC reports: "There is another way to work out a target's location, even if they have chosen to hide their distance in the settings menu... In 2016, researchers demonstrated it was possible to locate a target by surrounding him with several fake profiles and moving the fake profiles around the map. The only app to confirm it had taken steps to mitigate this attack was Hornet, which told BBC News it randomised the grid of nearby profiles."

"The risks are unthinkable," said Prof Angela Sasse, a cyber-security and privacy expert at UCL to the BBC. She said location sharing should "always [be] something the user enables voluntarily after being reminded what the risks are."

In the words of Apple's openly gay CEO Tim Cook, "Privacy is a matter of life and death."